Skip to main content

cloudaccess.appvia.io/v2beta2

Package v2beta2 contains API Schema definitions for the CloudAccess API group

Exported Resource Types

CloudAccessCheck

CloudAccessCheck represents an account/project/subscription in a cloud provider which Wayfinder has access to

FieldDescription

apiVersion
string

cloudaccess.appvia.io/v2beta2

kind
string

CloudAccessCheck
metadata
Kubernetes meta/v1.ObjectMeta

Refer to the Kubernetes API documentation for the fields of the metadata field.

spec
CloudAccessCheckSpec
cloud
CloudAccessCloud

Cloud defines which cloud provider this credential is for

cloudIdentityRef
CloudIdentityReference

CloudIdentityRef is a reference to the credential for Wayfinder to identify itself to this cloud provider to validate this configuration.

cloudIdentity
CloudIdentitySpec

CloudIdentity defines the proposed cloud identity credentials

aws
CloudAccessConfigAWS

AWS provides the details for an AWS account. Only one of AWS, GCP or Azure can be populated.

azure
CloudAccessConfigAzure

Azure provides the details for an Azure subscription. Only one of AWS, GCP or Azure can be populated.

gcp
CloudAccessConfigGCP

GCP provides the details for a GCP project. Only one of AWS, GCP or Azure can be populated.

permissions
[]CloudAccessConfigPermission

Permissions defines the set of permissions to validate for this check.

status
CloudAccessCheckStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

valid

bool

Valid indicates if the identity and all provided roles are valid

identity
CloudAccessIdentityStatus

Identity is the status of the existing cloud identity or the provided credentials

newCloudIdentityStatus
CloudIdentityStatus

NewCloudIdentityStatus will be populated with a ‘status’ if a cloud identity spec is provided in the check. This status can be used to determine certain details used to establish cross-cloud trust.

permissions
[]CloudAccessPermissionStatus

Permissions is the status of the permissions we’ve been asked to validate

CloudAccessConfig

CloudAccessConfig represents an account/project/subscription in a cloud provider which Wayfinder has access to

FieldDescription

apiVersion
string

cloudaccess.appvia.io/v2beta2

kind
string

CloudAccessConfig
metadata
Kubernetes meta/v1.ObjectMeta

Refer to the Kubernetes API documentation for the fields of the metadata field.

spec
CloudAccessConfigSpec
type
CloudAccessConfigType

Type is the type of this cloud access config - this maps to a particular Wayfinder feature set.

cloud
CloudAccessCloud

Cloud defines which cloud provider this cloud access config represents.

description

string

Description is an optional longer human-readable description of this cloud access config to help users understand which cloud access configuration to choose.

aws
CloudAccessConfigAWS

AWS provides the details for an AWS account. Only one of AWS, GCP or Azure can be populated.

azure
CloudAccessConfigAzure

Azure provides the details for an Azure subscription. Only one of AWS, GCP or Azure can be populated.

gcp
CloudAccessConfigGCP

GCP provides the details for a GCP project. Only one of AWS, GCP or Azure can be populated.

stage

string

Stage defines the stage this cloud access config will be used for in the workspace. Optional for ‘admin’ cloud access configs, required for workspace cloud access configs.

cloudIdentityRef
CloudIdentityReference

CloudIdentityRef is a reference to the credential for Wayfinder to identify itself to this cloud provider when using this configuration.

permissions
[]CloudAccessConfigPermission

Permissions defines the possible ways in which Wayfinder can use this cloud account, along with any provider-specific information about how Wayfinder should operate when needing that permission - for example, assuming an AWS IAM role or jumping into a specific GCP service account.

status
CloudAccessConfigStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

azureTenantID

string

AzureTenantID is the Tenant ID the azure subscription resides within. This will only be populated for Azure cloud access configurations.

identity
CloudAccessIdentityStatus

Identity describes whether the referenced cloud identity is valid and accessible

permissions
[]CloudAccessPermissionStatus

Permissions is the status of the permissions that have been configured.

requiredPermissions

[]string

RequiredPermissions indicates the list of permissions that this cloud access config needs working in order for the requested type to function.

typeReady

bool

TypeReady indicates whether the cloudaccessconfig is ready to use for this type. Deprecated: Will be removed in v2, included for backwards compatibility with v2beta1.

setupRequired

bool

SetupRequired indicates that the permissions on this cloud access config require setup. Deprecated: Will be removed in v2, included for backwards compatibility with v2beta1.

identifier

string

Identifier is the account/project/subscription ID for this cloud access config.

identifierType

string

IdentifierType is the type of the identifier for this cloud access config. Will be set to “Account” for AWS, “Subscription” for Azure, and “Project” for GCP.

CloudIdentity

CloudIdentity represents an identity that Wayfinder can use to access a cloud. This represents the initial identity Wayfinder uses - it will assume into various roles from this identity as dictated by the relevant CloudAccessConfig role.

FieldDescription

apiVersion
string

cloudaccess.appvia.io/v2beta2

kind
string

CloudIdentity
metadata
Kubernetes meta/v1.ObjectMeta

Refer to the Kubernetes API documentation for the fields of the metadata field.

spec
CloudIdentitySpec
cloud
CloudAccessCloud

Cloud defines which cloud provider this credential is for

type
CloudAccessIdentityType

Type is the identity type in cloud that this represents

aws
CloudIdentityAWS

AWS is the cloud-specific settings for this cloud identity for AWS

azure
CloudIdentityAzure

Azure is the cloud-specific settings for this cloud identity for Azure

gcp
CloudIdentityGCP

GCP is the cloud-specific settings for this cloud identity for GCP

credentialsInputData

map[string]string

CredentialsInputData can be used to populate the secret when creating/updating a credential. This will never be populated when the credential is returned from the API. If specified, this must include the correct set of keys for credentials for the cloud provider that CloudAccount references.

secretRef
Kubernetes core/v1.SecretReference

SecretRef is a reference to the Kubernetes secret containing the actual key data for this credential. If the secret does not exist but CredentialsInputData is populated, this secret will be created. This can also be a reference to an existing secret managed outside Wayfinder. Where CredentialsInputData is specified but this is left blank, Wayfinder will assign this value.

credentialsUpdated
Kubernetes meta/v1.Time

CredentialsUpdated should be set to the current time when an underlying secret is updated. This will be automatically set to the current time if CredentialsInputData is set. If you manually change the secret outside Wayfinder, update this field to trigger re-verification of this credential.

status
CloudIdentityStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

azureTenantID

string

AzureTenantID is the Tenant ID when known For an implicit identity, this will be detected from the environment in which Wayfinder is running.

azurePrincipalID

string

AzurePrincipalID is the Principal ID when known This is set when Wayfinder is installed on an AKS cluster Can be referenced and used when creating Azure role assignments for Wayfinder

gcpServiceAccountID

string

GCPServiceAccountID is the Service Account ID It will be obtained dynamically

verified

bool

Verified checks that the credentials are ok and valid

identity

string

Identity is the unique reference to the cloud principle e.g. aws role, gcp service-account etc.

oidc
CloudIdentityOIDC

OIDC provides details of an OIDC issuer that can be used to verify/trust this identity when operating in cross-cloud flows.

WorkloadIdentity

WorkloadIdentity represents an identity for a kubernetes workload in a specific cloud provider / cloud account

FieldDescription

apiVersion
string

cloudaccess.appvia.io/v2beta2

kind
string

WorkloadIdentity
metadata
Kubernetes meta/v1.ObjectMeta

Refer to the Kubernetes API documentation for the fields of the metadata field.

spec
WorkloadIdentitySpec
cloud
CloudAccessCloud

Cloud defines which cloud provider this workload identity is for

cloudAccessConfigRef
CloudAccessConfigReference

CloudAccessConfigRef defines which cloud access configuration to use to build this workload identity in

cluster
Ownership

Cluster is a reference to the cluster which this workload identity will be used in.

clusterServiceAccount
ClusterServiceAccount

ClusterServiceAccount is the name and namespace of the service account which will use this identity in the target cluster. Required on AWS and GCP, optional (and unused) on Azure at this time.

providerDetails
WorkloadIdentityProviderDetails

ProviderDetails provides additional fields which can be used for cloud-provider specific data needed to provision a workload identity.

role
WorkloadIdentityRole

Role must be the name of a valid workload identity role known to Wayfinder Can optionally be None to indicate that no specific permissions are defined with the identity

identityOnly

bool

IdentityOnly will create an identity associated with a cluster with no specific permissions Must specify Role=None if this is true. In AWS: - An IAM role is created and associated with a specific Kubernetes service account - no inline or attached policies are managed (post creation of the IAM role) - It is a “user” responsibility to attach policies to the IAM role In Azure: - The user defined managed identity is created - No role definitions or role assignments are created - It is a “user” responsibility to create relevant role assignments

roleParameters

map[string]string

RoleParameters are any parameters required for the specified role

cloudResourceName

string

CloudResourceName specifies the name of the workload identity in the cloudaccount Can be left blank so that the name is derived from the cluster name + resource name

status
WorkloadIdentityStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

identity

string

Identity contains a cloud-provider specific reference to the identity created for this resource, e.g. an AWS ARN or GCP service account email

Internal Resource Types

AWSCloudPermissions

(Appears on: CloudPermissionSpec)

AWSCloudPermissions describes the permissions required for a particular Wayfinder cloud permission on AWS

FieldDescription
actions

[]string

condition

string

effect

string

resource

string

AWSWorkloadIdentityParameters

(Appears on: WorkloadIdentityProviderDetails)

AWSWorkloadIdentityParameters is the parameters for an AWS workload identity

FieldDescription
iamPolicies

[]string

(Optional)

IAMPolicies defines a list of (additional) IAM policies to bind to the workload identity role It is assumed that these will exist in the target AWS account for the cluster, therefore use either built-in AWS-managed policies or make sure that your process for managing policies in your accounts will always ensure these policies exist in any account this package may be deployed into. For AWS-managed policies, specify the full ARN (e.g. arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess) For self-managed policies, specify the ARN without an account ID (e.g. arn:aws:iam:::policy/myorg-policy-s3-write)

customIAMPolicy
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON

CustomIAMPolicy defines an additional dedicated IAM policy to create and bind to this workload identity.

AzureCloudPermissions

(Appears on: CloudPermissionSpec)

AzureCloudPermissions describes the permissions required for a particular Wayfinder cloud permission on Azure

FieldDescription
actions

[]string

AzureWorkloadIdentityParameters

(Appears on: WorkloadIdentityProviderDetails)

AzureWorkloadIdentityParameters is the parameters for an Azure workload identity

FieldDescription
podSelector

string

PodSelector specifies the unique string that will be set on the Identity This allows AAD Pod Identity to find the pods that are associated with it. DEPRECATED: This is no longer used as AAD Pod Identity is deprecated.

roleAssignments
[]AzureWorkloadIdentityRoleAssignment

RoleAssignments is a list of role assignments to create for the identity

AzureWorkloadIdentityRoleAssignment

(Appears on: AzureWorkloadIdentityParameters)

FieldDescription
scope

string

Scope is the scope of the role assignment

roleDefinitionName

string

RoleDefinitionName is the name of the role definition to assign to the identity

CloudAccessCheckSpec

(Appears on: CloudAccessCheck)

FieldDescription
cloud
CloudAccessCloud

Cloud defines which cloud provider this credential is for

cloudIdentityRef
CloudIdentityReference

CloudIdentityRef is a reference to the credential for Wayfinder to identify itself to this cloud provider to validate this configuration.

cloudIdentity
CloudIdentitySpec

CloudIdentity defines the proposed cloud identity credentials

aws
CloudAccessConfigAWS

AWS provides the details for an AWS account. Only one of AWS, GCP or Azure can be populated.

azure
CloudAccessConfigAzure

Azure provides the details for an Azure subscription. Only one of AWS, GCP or Azure can be populated.

gcp
CloudAccessConfigGCP

GCP provides the details for a GCP project. Only one of AWS, GCP or Azure can be populated.

permissions
[]CloudAccessConfigPermission

Permissions defines the set of permissions to validate for this check.

CloudAccessCheckStatus

(Appears on: CloudAccessCheck)

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

valid

bool

Valid indicates if the identity and all provided roles are valid

identity
CloudAccessIdentityStatus

Identity is the status of the existing cloud identity or the provided credentials

newCloudIdentityStatus
CloudIdentityStatus

NewCloudIdentityStatus will be populated with a ‘status’ if a cloud identity spec is provided in the check. This status can be used to determine certain details used to establish cross-cloud trust.

permissions
[]CloudAccessPermissionStatus

Permissions is the status of the permissions we’ve been asked to validate

CloudAccessCloud

(string alias) (Appears on: CloudAccessCheckSpec, CloudAccessConfigSpec, CloudIdentityMeta, CloudIdentitySpec, WorkloadIdentitySpec)

CloudAccessCloud is the cloud provider

ValueDescription
"aws"
"azure"
"gcp"

CloudAccessConfigAWS

(Appears on: CloudAccessCheckSpec, CloudAccessConfigSpec)

CloudAccessConfigAWS is the AWS-specific configuration for a CloudAccessConfig

FieldDescription
account

string

Account is the AWS account to use.

defaultRegion

string

DefaultRegion is an optional default region to use for API access in this account when no region is specified for the operation. This is used to determine, for example, which region to use to talk to global services such as Route53 in AWS. E.g. eu-west-2

CloudAccessConfigAzure

(Appears on: CloudAccessCheckSpec, CloudAccessConfigSpec)

CloudAccessConfigAzure is the Azure-specific configuration for a CloudAccessConfig

FieldDescription
subscription

string

Subscription is the identifier for the subscription to use. Must be a lowercase UUID

tenantID

string

TenantID is the identifier for the tenant in which this subscription lives. Must be a lowercase UUID

clientID

string

ClientID is an optional client ID to use to perform the actions in this cloud access config when federating from AWS or GCP. This field can only be provided when the Cloud Identity in use is not an Azure cloud identity. Must be a lowercase UUID

CloudAccessConfigGCP

(Appears on: CloudAccessCheckSpec, CloudAccessConfigSpec)

CloudAccessConfigGCP is the GCP-specific configuration for a CloudAccessConfig

FieldDescription
project

string

Project is the user assigned projectId “name” of the GCP project to use. See https://cloud.google.com/resource-manager/reference/rest/v1/projects

projectNumber

int64

ProjectNumber is the number of the GCP project to use. This is only required when accessing GCP from AWS or Azure.

workloadIdentityPoolID

string

WorkloadIdentityPoolID is the ID of the workload identity pool to use for this project. This is only required when accessing GCP from AWS or Azure. From the GCP validation: “This value can contain the characters a–z and 0–9.”, “Must be at least 4 characters long.”

workloadIdentityProviderID

string

WorkloadIdentityProviderID is the ID of the workload identity provider to use for this project. This is only required when accessing GCP from AWS or Azure. From the GCP validation: “This value can contain the characters a–z and 0–9.”, “Must be at least 4 characters long.”

CloudAccessConfigPermission

(Appears on: CloudAccessCheckSpec, CloudAccessConfigSpec)

FieldDescription
permission

string

Permission identifies which of Wayfinder’s built-in permission sets this allows access to.

awsRole

string

AWSRole defines an AWS IAM role (via ARN or name) that should be assumed by Wayfinder when using this permission. Only valid if this CloudAccessConfig refers to an AWS account. For more information, see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html

gcpServiceAccount

string

GCPServiceAccount defines a GCP service account that should be assumed by Wayfinder when using this permission. Only valid if this CloudAccessConfig refers to a GCP project.

azureCloudIdentityName

string

AzureCloudIdentityName defines the name of a CloudIdentity in the same workspace as this CloudAccessConfig which should be used by Wayfinder when using this permission. Deprecated: Included for backwards-compatibility with v2beta1 and will be removed in v2. Use spec.azure.clientID field on CloudAccessConfig instead.

CloudAccessConfigReference

(Appears on: WorkloadIdentitySpec, ClusterSpec, DNSZoneSpec, ClusterNetworkSpec, PeeringRuleSpec, PeeringSpec)

FieldDescription
namespace

string

name

string

CloudAccessConfigSpec

(Appears on: CloudAccessConfig)

CloudAccessConfigSpec defines the specification of an account known to wayfinder

FieldDescription
type
CloudAccessConfigType

Type is the type of this cloud access config - this maps to a particular Wayfinder feature set.

cloud
CloudAccessCloud

Cloud defines which cloud provider this cloud access config represents.

description

string

Description is an optional longer human-readable description of this cloud access config to help users understand which cloud access configuration to choose.

aws
CloudAccessConfigAWS

AWS provides the details for an AWS account. Only one of AWS, GCP or Azure can be populated.

azure
CloudAccessConfigAzure

Azure provides the details for an Azure subscription. Only one of AWS, GCP or Azure can be populated.

gcp
CloudAccessConfigGCP

GCP provides the details for a GCP project. Only one of AWS, GCP or Azure can be populated.

stage

string

Stage defines the stage this cloud access config will be used for in the workspace. Optional for ‘admin’ cloud access configs, required for workspace cloud access configs.

cloudIdentityRef
CloudIdentityReference

CloudIdentityRef is a reference to the credential for Wayfinder to identify itself to this cloud provider when using this configuration.

permissions
[]CloudAccessConfigPermission

Permissions defines the possible ways in which Wayfinder can use this cloud account, along with any provider-specific information about how Wayfinder should operate when needing that permission - for example, assuming an AWS IAM role or jumping into a specific GCP service account.

CloudAccessConfigStatus

(Appears on: CloudAccessConfig)

CloudAccessConfigStatus defines the status of a cloud access configuration

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

azureTenantID

string

AzureTenantID is the Tenant ID the azure subscription resides within. This will only be populated for Azure cloud access configurations.

identity
CloudAccessIdentityStatus

Identity describes whether the referenced cloud identity is valid and accessible

permissions
[]CloudAccessPermissionStatus

Permissions is the status of the permissions that have been configured.

requiredPermissions

[]string

RequiredPermissions indicates the list of permissions that this cloud access config needs working in order for the requested type to function.

typeReady

bool

TypeReady indicates whether the cloudaccessconfig is ready to use for this type. Deprecated: Will be removed in v2, included for backwards compatibility with v2beta1.

setupRequired

bool

SetupRequired indicates that the permissions on this cloud access config require setup. Deprecated: Will be removed in v2, included for backwards compatibility with v2beta1.

identifier

string

Identifier is the account/project/subscription ID for this cloud access config.

identifierType

string

IdentifierType is the type of the identifier for this cloud access config. Will be set to “Account” for AWS, “Subscription” for Azure, and “Project” for GCP.

CloudAccessConfigType

(string alias) (Appears on: CloudAccessConfigSpec)

CloudAccessConfigType defines the type of a cloud access config - i.e. what it is used for

ValueDescription
"CostsEstimates"
"DNSZoneManagement"
"NetworkPeering"
"Provisioning"

CloudAccessIdentityStatus

(Appears on: CloudAccessCheckStatus, CloudAccessConfigStatus)

FieldDescription
valid

bool

Valid indicates if the supplied identity is valid

message

string

Message defined a human-readable description of any problem using the identity

CloudAccessIdentityType

(string alias) (Appears on: CloudIdentityMeta, CloudIdentityMetaAWS, CloudIdentityMetaAzure, CloudIdentityMetaGCP, CloudIdentitySpec)

CloudAccessIdentityType is the type of this cloud identity

ValueDescription
"AWSIAMRoleForServiceAccount"
"AWSIAMUserKey"
"AzureADClientSecret"
"AzureADPodIdentity"

CloudAccessIdentityAzureADPodIdentity is a legacy AADPodIdentity identity that has not been migrated. Remove in v2.5.

"AzureADWorkloadIdentity"
"AzureCrossTenantADWorkloadIdentity"

CloudAccessIdentityAzureCrossTenantADWorkloadIdentity is a cross-tenant Azure AD workload identity This must use a multi-tenant Enterprise Azure Application and a federated identity

"GCPServiceAccountKey"
"GCPWorkloadIdentity"

CloudAccessPermissionStatus

(Appears on: CloudAccessCheckStatus, CloudAccessConfigStatus)

FieldDescription
permission

string

Permission is the Wayfinder cloud permission that this has been validated for

canAccess

bool

CanAccess indicates whether or not the provider role/identity is accessible

permissionsCorrect

bool

PermissionsCorrect indicates if the permissions are correct

missingPermissions

[]string

MissingPermissions indicates if the role/identity has missing permissions

valid

bool

Valid defines whether the permission is valid

message

string

Message defined a human-readable description of any problem using the permission

CloudIdentityAWS

(Appears on: CloudIdentitySpec)

FieldDescription
roleARN

string

RoleARN is the IAM role being used when type is AWSIAMRoleForServiceAccount. If provided, will be used to validate on usage that Wayfinder is in the expected role.

userARN

string

UserARN is the IAM user being used when type is AWSIAMUserKey. If provided, will be used to validate on usage that Wayfinder is in the expected user.

CloudIdentityAzure

(Appears on: CloudIdentitySpec)

FieldDescription
tenantID

string

TenantID is the tenant in which this Azure identity resides.

clientID

string

ClientID is the client ID that this Azure identity references. If provided, will be used to validate on usage that Wayfinder is using the expected client ID.

CloudIdentityGCP

(Appears on: CloudIdentitySpec)

FieldDescription
serviceAccount

string

ServiceAccount is the GCP service account email that this GCP identity references. If provided, will be used to validate on usage that Wayfinder is using the expected service account.

CloudIdentityMeta

CloudIdentityMeta describes the supported types of CloudIdentity on this instance of Wayfinder

FieldDescription
hostCloud
CloudAccessCloud

HostCloud is where this instance of Wayfinder is running. May be empty if Wayfinder is installed in a non-cloud environment.

hostRegion

string

HostRegion is the region of the host cloud where Wayfinder is running, if known.

workloadIdentityType
CloudAccessIdentityType

WorkloadIdentityType defines the cloud identity type to use for zero-credential access on this instance of Wayfinder. If unpopulated, there is no supported workload identity type in this environment.

workloadIdentityCloudIdentity
CloudIdentityReference

WorkloadIdentityCloudIdentity is the reference to this instances CloudIdentity object representing the workload identity, if configured. If null, no cloud identity has yet been configured for this cloud.

workloadIdentity
CloudIdentitySpec

WorkloadIdentity contains the spec of a CloudIdentity suitable to use the workload identity (credential-less) provided to Wayfinder at install time.

aws
CloudIdentityMetaAWS

AWS describes the methods to set up a CloudAccessConfig to access AWS accounts.

azure
CloudIdentityMetaAzure

Azure describes the methods to set up a CloudAccessConfig to access Azure subscriptions.

gcp
CloudIdentityMetaGCP

GCP describes the methods to set up a CloudAccessConfig to access GCP projects

CloudIdentityMetaAWS

(Appears on: CloudIdentityMeta)

FieldDescription
supportedIdentityTypes
[]CloudAccessIdentityType

SupportedIdentityTypes are the types of CloudIdentity that can be used to access AWS accounts in this instance of Wayfinder.

CloudIdentityMetaAzure

(Appears on: CloudIdentityMeta)

FieldDescription
supportedIdentityTypes
[]CloudAccessIdentityType

SupportedIdentityTypes are the types of CloudIdentity that can be used to access Azure subscriptions in this instance of Wayfinder.

CloudIdentityMetaGCP

(Appears on: CloudIdentityMeta)

FieldDescription
supportedIdentityTypes
[]CloudAccessIdentityType

SupportedIdentityTypes are the types of CloudIdentity that can be used to access GCP projects in this instance of Wayfinder.

CloudIdentityOIDC

(Appears on: CloudIdentityStatus)

CloudIdentityOIDC describes the relevant OIDC

FieldDescription
issuer

string

Issuer is the URL of the OIDC issuer to trust in order to validate this identity.

audience

string

Audience is the audience to verify in order to validate this identity in cross-cloud flows.

subject

string

Subject is the subject to verify in order to validate this identity in cross-cloud flows.

CloudIdentityReference

(Appears on: CloudAccessCheckSpec, CloudAccessConfigSpec, CloudIdentityMeta)

CloudIdentityReference is a reference specifically to a cloud identity

FieldDescription
cloud

string

Cloud that this cloud identity references.

name

string

Name for the credential, specify empty for implicit credentials

namespace

string

Namespace is deprecated, included only for backwards-compatibility with v2beta1. Deprecated: No namespace field will be present in v2 for a cloud identity reference.

CloudIdentitySpec

(Appears on: CloudIdentity, CloudAccessCheckSpec, CloudIdentityMeta)

CloudIdentitySpec defines the metadata about the identity When required it will have a reference to kubernetes secret containing the credentials

FieldDescription
cloud
CloudAccessCloud

Cloud defines which cloud provider this credential is for

type
CloudAccessIdentityType

Type is the identity type in cloud that this represents

aws
CloudIdentityAWS

AWS is the cloud-specific settings for this cloud identity for AWS

azure
CloudIdentityAzure

Azure is the cloud-specific settings for this cloud identity for Azure

gcp
CloudIdentityGCP

GCP is the cloud-specific settings for this cloud identity for GCP

credentialsInputData

map[string]string

CredentialsInputData can be used to populate the secret when creating/updating a credential. This will never be populated when the credential is returned from the API. If specified, this must include the correct set of keys for credentials for the cloud provider that CloudAccount references.

secretRef
Kubernetes core/v1.SecretReference

SecretRef is a reference to the Kubernetes secret containing the actual key data for this credential. If the secret does not exist but CredentialsInputData is populated, this secret will be created. This can also be a reference to an existing secret managed outside Wayfinder. Where CredentialsInputData is specified but this is left blank, Wayfinder will assign this value.

credentialsUpdated
Kubernetes meta/v1.Time

CredentialsUpdated should be set to the current time when an underlying secret is updated. This will be automatically set to the current time if CredentialsInputData is set. If you manually change the secret outside Wayfinder, update this field to trigger re-verification of this credential.

CloudIdentityStatus

(Appears on: CloudIdentity, CloudAccessCheckStatus)

CloudIdentityStatus represents the status of a cloud identity for account access

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

azureTenantID

string

AzureTenantID is the Tenant ID when known For an implicit identity, this will be detected from the environment in which Wayfinder is running.

azurePrincipalID

string

AzurePrincipalID is the Principal ID when known This is set when Wayfinder is installed on an AKS cluster Can be referenced and used when creating Azure role assignments for Wayfinder

gcpServiceAccountID

string

GCPServiceAccountID is the Service Account ID It will be obtained dynamically

verified

bool

Verified checks that the credentials are ok and valid

identity

string

Identity is the unique reference to the cloud principle e.g. aws role, gcp service-account etc.

oidc
CloudIdentityOIDC

OIDC provides details of an OIDC issuer that can be used to verify/trust this identity when operating in cross-cloud flows.

CloudPermission

CloudPermission defines the permissions required in cloud for a particular Wayfinder permission set.

FieldDescription
metadata
Kubernetes meta/v1.ObjectMeta

Refer to the Kubernetes API documentation for the fields of the metadata field.

spec
CloudPermissionSpec
functionality

string

Functionality is the area of functionality that Wayfinder needs this permission for

description

string

Description is a longer human-readable description of what this permission permits Wayfinder to do

applicableToWorkspaces

bool

ApplicableToWorkspaces indicates if this permission is applicable to cloud access configurations in workspaces

applicableGlobal

bool

ApplicableToGlobal indicates if this permission is applicable to global/admin cloud access configurations

requiresstage

bool

RequiresStage indicates if this permission requires a stage

aws
[]AWSCloudPermissions

AWS is the details of the required permissions on AWS for this permission

azure
AzureCloudPermissions

Azure is the details of the required permissions on Azure for this permission

gcp
GCPCloudPermissions

GCP is the details of the required permissions on GCP for this permission

status
CommonStatus
status
Status

Status is the overall status of the resource. This will shortly become required, hence no omit empty here.

message

string

Message is a description of the current status

detail

string

(Optional)

Detail is any additional human-readable detail to understand the current status, for example, the full underlying error which caused an issue

conditions
Conditions

Conditions represents the observations of the resource’s current state.

pendingSince
LastReconcileStatus

PendingSince describes the generation and time of the first reconciliation with a pending status since the last successful reconcile for this generation

lastReconcile
LastReconcileStatus

LastReconcile describes the generation and time of the last reconciliation

lastSuccess
LastReconcileStatus

LastSuccess descibes the generation and time of the last reconciliation which resulted in a Success status

cloudResourcesCreated

bool

CloudResourcesCreated indicates that at some point, this resource has successfully created one or more cloud resources. This is used when deleting to decide whether to fail or ignore if a related cloud access config is inaccessible.

obsoleteResources
ObsoleteResourceList

ObsoleteResources contains a list of resources that are marked for deletion

wayfinderVersion

string

WayfinderVersion is the version of Wayfinder that last reconciled this resource

ownedResources
OwnedResources

OwnedResources lists the child resources (in Wayfinder and in cloud) owned by this resource

CloudPermissionSpec

(Appears on: CloudPermission)

CloudAccessConfigSpec defines the specification of an account known to wayfinder

FieldDescription
functionality

string

Functionality is the area of functionality that Wayfinder needs this permission for

description

string

Description is a longer human-readable description of what this permission permits Wayfinder to do

applicableToWorkspaces

bool

ApplicableToWorkspaces indicates if this permission is applicable to cloud access configurations in workspaces

applicableGlobal

bool

ApplicableToGlobal indicates if this permission is applicable to global/admin cloud access configurations

requiresstage

bool

RequiresStage indicates if this permission requires a stage

aws
[]AWSCloudPermissions

AWS is the details of the required permissions on AWS for this permission

azure
AzureCloudPermissions

Azure is the details of the required permissions on Azure for this permission

gcp
GCPCloudPermissions

GCP is the details of the required permissions on GCP for this permission

ClusterServiceAccount

(Appears on: WorkloadIdentitySpec, WorkloadIdentity)

ClusterServiceAccount represents the identity inside the cluster that will use the workload identity

FieldDescription
namespace

string

name

string

GCPCloudPermissions

(Appears on: CloudPermissionSpec)

GCPCloudPermissions describes the permissions required for a particular Wayfinder cloud permission on GCP

FieldDescription
permissions

[]string

roles

string

GCPWorkloadIdentityParameters

(Appears on: WorkloadIdentityProviderDetails)

GCPWorkloadIdentityParameters is the parameters for a GCP workload identity

FieldDescription
roleBindings
[]GCPWorkloadIdentityRoleBinding

RoleBindings is a list of GCP role principal bindings to update for the identity A policy binding is a role and scope bound to the workload identity

GCPWorkloadIdentityRoleBinding

(Appears on: GCPWorkloadIdentityParameters)

FieldDescription
role

string

Role is the name of the GCP role to bind to the identity

scopeType

string

ScopeType is the API scope to bind the role to

WorkloadIdentityProviderDetails

(Appears on: WorkloadIdentitySpec)

WorkloadIdentityProviderDetails provides parameters that are specific to a particular type of workload identity

FieldDescription
type
WorkloadIdentityType
aws
AWSWorkloadIdentityParameters		(Optional)

AWS holds parameters specific to AWS workload identities. Present only if type is AWS.

gcp
GCPWorkloadIdentityParameters		(Optional)

GCP holds parameters specific to GCP workload identity. Present only if type is GCP.

azure
AzureWorkloadIdentityParameters		(Optional)

Azure holds parameters specific to Azure workload identity. Present only if type is Azure.

WorkloadIdentityRole

(string alias) (Appears on: WorkloadIdentitySpec, WorkloadIdentity, WorkloadIdentity)

WorkloadIdentityRole is a role to use for a workload identity Allow empty for forward compatibility with templated roles

ValueDescription
"CertManager"

WorkloadIdentityRoleExternalDNS defines the required permissions for CertManager to function in a given cloud

"ClusterAutoscaler"

WorkloadIdentityRoleClusterAutoscaler defines the required permissions for the cluster autoscaler to function in a given cloud (only needed on AWS)

"ExternalDNS"

WorkloadIdentityRoleExternalDNS defines the required permissions for ExternalDNS to function in a given cloud

"None"

WorkloadIdentityRoleNone defines the “minimal” cloud permissions - For AWS the identity IS a role which we will add simply sts:GetCallerIdentity - For Azure no permissions are required

"TerraformExecutor"

WorkloadIdentityRoleTerraformExecutor defines the required permissions for the Terranetes controller to create and manage cloud resources

WorkloadIdentitySpec

(Appears on: WorkloadIdentity)

WorkloadIdentitySpec defines the specification of a workload identity which should be provisioned

FieldDescription
cloud
CloudAccessCloud

Cloud defines which cloud provider this workload identity is for

cloudAccessConfigRef
CloudAccessConfigReference

CloudAccessConfigRef defines which cloud access configuration to use to build this workload identity in

cluster
Ownership

Cluster is a reference to the cluster which this workload identity will be used in.

clusterServiceAccount
ClusterServiceAccount

ClusterServiceAccount is the name and namespace of the service account which will use this identity in the target cluster. Required on AWS and GCP, optional (and unused) on Azure at this time.

providerDetails
WorkloadIdentityProviderDetails

ProviderDetails provides additional fields which can be used for cloud-provider specific data needed to provision a workload identity.

role
WorkloadIdentityRole

Role must be the name of a valid workload identity role known to Wayfinder Can optionally be None to indicate that no specific permissions are defined with the identity

identityOnly

bool

IdentityOnly will create an identity associated with a cluster with no specific permissions Must specify Role=None if this is true. In AWS: - An IAM role is created and associated with a specific Kubernetes service account - no inline or attached policies are managed (post creation of the IAM role) - It is a “user” responsibility to attach policies to the IAM role In Azure: - The user defined managed identity is created - No role definitions or role assignments are created - It is a “user” responsibility to create relevant role assignments

roleParameters

map[string]string

RoleParameters are any parameters required for the specified role

cloudResourceName

string

CloudResourceName specifies the name of the workload identity in the cloudaccount Can be left blank so that the name is derived from the cluster name + resource name

WorkloadIdentityStatus

(Appears on: WorkloadIdentity)

WorkloadIdentityStatus defines the status of a cloud account

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

identity

string

Identity contains a cloud-provider specific reference to the identity created for this resource, e.g. an AWS ARN or GCP service account email

WorkloadIdentityType

(string alias) (Appears on: WorkloadIdentityProviderDetails)

WorkloadIdentityType represents the concrete type of a workload identity to provide

ValueDescription
"AWS"

WorkloadIdentityTypeAWS is for AWS managed workload identity

"Azure"

WorkloadIdentityTypeAzure is for Azure managed workload identity

"GCP"

WorkloadIdentityTypeGCP is for GCP managed workload identity

Last updated